b'            AUDIT REPORT \n\n       IhTFORMATION SYSTEM CONTROLS \n\nAT THE NATIONAL MUSEUM OF NATURAL HISTORY \n\n\n               Number A-04-03 \n\n\n               September 9,2004 \n\n\x0c                                       SUMMARY \n\n\nThe Office of the Inspector General audited information system controls at the National\nMuseum of Natural History (NMNH). The purpose of the audit was to evaluate NMNH\ninformation system controls for system access, network security, and operating system\nconfiguration. We excluded from this report our assessments of NMNH UNIX and web\nserver applications. These assessments will be reported separately when completed as a\nfollow-on report.\n\nThe following points were considerations throughout our audit: Adequate security of\ninformation and the systems that process it is a fundamental management responsibility.\nOf necessity, management must strike a reasonable balance between information\ntechnology security and operational capability because some controls impede operations.\nIt is Smithsonian policy, as well as good business practice, that controls be established to\nmaintain accountability for the custody and use of resources and to provide reasonable\nassurance that assets are safeguarded against loss or unauthorized use.\n\nNMNH did have some system security controls in place regarding system backup and\nnetwork intrusion detection. However, we determined that NMNH network security,\noperating system configurations, and system access safeguards were inadequate, and that\nthe risk to system access and data integrity was high. During our audit, NMNH\nmanagement made some system account reviews and changes and began reviewing\nconfiguration deficiencies identified during the audit.\n\nWe made recommendations to the Director, NMNH and to the Chief Information\nOfficer. We recommended that the Director, NMNH, ensure that staff update NMNH\nsystem resources server inventory documentation; address and correct identified network\nsecurity holes and remove unnecessary open network ports, servers, and user accounts on\nNMNH servers and workstations; reaffirm the necessity to comply with the Smithsonian\nInstitution password policy; review operating system configurations in Windows servers\nto ensure that they are securely configured to Office of the Chief Information Officer\n(OCIO) and industry standards and install missing patches and updates; establish a\nprocess to ensure regular oversight of the current NMNH practice permitting NMNH\nunits to establish and administer their own servers, or formalize a reassignment of these\nresponsibilities to a unit that can ensure that these systems are securely configured and\nadministered. We also recommended that the Chief Information Officer clarify the\nnecessity of when and where to place web site links to the Smithsonian privacy policy and\ncopyright restrictions and consider establishing a policy requiring a more secure method\nof file sharing.\n\nManagement agreed with the recommendations and planned actions are responsive to the\nrecommendations.\n\x0c                                                  TABLE OF CONTENTS \n\n\n                                                                                                                                                   Pane \n\n1. Introduction .................................................................................................................................... 1 \n\n\n        A. Purpose ..................................................................................................................................   1\n\n\n        B. Scope and Methodology ........................................................................................................ 1 \n\n\n        C. Background .............................................................................................................................     1\n\n\n2. Results of Audit ................................................................................................................................    2\n\n\nAppendix A. Glossary ........................................................................................................................ 12 \n\n\nAppendix B. Policies and Industry Standards .................................................................................. 14 \n\n\nAppendix C. Management Comments ............................................................................................. 17 \n\n\n\n                                       ABBREVIATIONS AND ACRONYMS\n\nADP                   Automated Data Processing\nFAT                   File Allocation Table\nFTP                   File Transfer Protocol\nHTTP                  Hypertext Transfer Protocol\nIT                    Information Technology\nNIST                  National Institute of Standards and Technology\nNMNH                  National Museum of Natural History\nNTFS                  New Technology File System\nOCIO                  Office of the Chief Information Officer\nSANS                  SysAdmin, Audit, Network, Security Institute\nSI                    Smithsonian Institution\nSSH                   Secure Shell\nSNMP                  Simple Network Management Protocol\n\x0c                                   INTRODUCTION\n\nA. Purpose\n\nThe purpose of the audit was to evaluate NMNH information system controls for system\naccess, network security, and operating system configuration.\n\nB. Scope and Methodolop\n\nThe audit was conducted from November 14,2003, to August 5,2004, in accordance with\ngenerally accepted government auditing standards. We excluded from this report our\nassessmentsof NMNH UNIX and web server applications. These assessments will be\nreported separatelywhen completed as a follow-on report.\n\nThe audit methodology consisted of the following:\n\n       Identifying and reviewing applicable Institution policies and procedures related to\n       general system controls, computer system security, and integrity of computer\n       resources.\n       Comparing NMNH system security settings with industry and Institution\n       standards.\n       Evaluating controls meant to safeguard and protect networks.\n       Assessing the adequacy of controls meant to prevent and detect unauthorized\n       activities.\n       Utilizing guidance issued by the Smithsonian Office of the Chief Information\n       Officer, National Institute of Standards and Technology (NIST),National Security\n       Agency, and Microsoft Corporation relating to system security configuration.\n\nOur review also included interviews with NMNH technology staff, through which we\ngained an understanding of the practices employed concerning system configuration,\nnetwork security, and system access.\n\nC. Background\n\nThe NMNH opened to the public in March 1910 as the National Museum. NMNH is\ndedicated to maintaining and preserving the world\'s most extensive collection of natural\nhistory specimens and human artifacts. It also fosters scientificresearch as well as\neducational programs and exhibitions that present the work of its scientists and curators\nto the public.\n\nNMNH Information Technology (IT) administration is composed of two formal units:\nAutomated Data Processing (ADP) and Informatics. We were able to identify\napproximately 2,800 system resources composed of servers, workstations, printers, and\nnetwork devices connected to the NMNH network.\n\x0c                                       RESULTS OF AUDIT\n\nNMNH Information Systems\n\nNMNH systems security can be strengthened to prevent unauthorized access.\nSpecifically, opportunities exist to strengthen controls over network access and server\noperating systems security configurations and settings.\' This condition exists because of\npartial uncoordinated information technology administration across NMNH as well as a\nlack of oversight and inconsistent compliance with OCIO system administration policies\nand guidance. Also, according to ADP and Informatics staff, there has been a shortage of\nstaff and insufficient training to effectively manage the complex and diverse information\ntechnology needs. As a result, NMNH information systems are vulnerable to\nunauthorized access and the integrity of its data could be compromised.\n\nResults\n\nWe performed internal and external network security reviews of NMNH servers and\nNMNH client workstations as part of access control testing2 In addition, we assessed the\nserver operating systems against industry guidance and configuration standards.\' From\nthese assessments, we determined that configurations should be modified to meet\nminimum industry-recommended security configuration standards.\n\nNetwork Access\nExternally and internally, we were successful in identifyrng some open ports and services\nthat are vulnerable. We were provided with an inventory listing of servers by the NMNH\nADP department that identified, for each server listed, the Internet protocol address,\nresource name, operating system, and unit administration. Comparison of network scans\nto the server inventory list revealed the listing was incomplete in regards to Internet\nprotocol addresses and operating systems. However, the acting ADP manager stated there\nhave been recent OCIO network address changes that were not reflected in the inventory\nlist. Also, the ADP manager stated he was working on updating the server inventory\nlisting and needed to coordinate with other unit administrators to update the\ninformation.\n\nThrough our scans and discussions with ADP and the NMNH Informatics webmaster we\ndiscovered other servers that were not included in the NMNH server inventory.\nMoreover, some NMNH server names did not match the documented Internet protocol\naddress. In addition, our network scans discovered other NNINH servers not included in\nthe server inventory or administered by NMNH ADP or Informatics.\n\nWe performed scans of 53 NMNH server^.^ Analysis of the 53 internally scanned servers\nrevealed 53 security holes, 37 of which, or 70 percent, were related to the SANS Institute\n\n\' See Appendix A, Glossary of technical definitions for an explanation of these and other terms used in this\nreport.\n  Internal networks are systems accessible within the SI network. External networks are Internet accessible.\n  Appendix B contains a summary of policies and industry security standards used during this audit.\n  The 53 NMNH servers consist of 18 Windows, 16 UNIX based, 15 Netware operating system servers, and 4\nunconfirmed operating systems. We did not discover vulnerabilities with the Netware servers and\nconcentrated on the Windows servers. Reviews of the NMNH UNIX operating system and Apache web\nserver applications will be addressed in a separate follow-on report.\n\x0cTop 10 Microsoft Windows ~ulnerabilities.~     The major ports and services include\nNetBIOS and Anonymous logon, Simple Network Management Protocol (SNMP), Secure\nShell (SSH), HTTP (Hypertext Transfer Protocol) and FTP (File Transfer ~ r o t o c o l ) .In\n                                                                                           ~\nperforming our review, we did not provide notice of when our network testing was to be\nperformed. However, on numerous occasions NMNH ADP identified our internal\nnetwork security testing as suspicious activity, which showed some controls are in place to\nidentify suspicious activity within NMNH.\n\nThe following chart shows the NMNH server security holes discovered compared to the\nSANS Top 10 Windows Vulnerabilities. The NetBIOS service, for example, is recognized\nas a common Windows operating system weakness. Through our testing, we were able to\nidentify 15 of 18 Windows servers which had enabled the NetBIOS protocol. According\nto NIST 800-43, enabling default Microsoft Windows NetBIOS over certain networks\npermits the server storage drives to be easily shared and network accessible.\nSharing drives across networks\nis not recommended, unless                                                26 NMNH Sewers\nnecessary, because it can                  Compared     to SANS Top 10 Windows Vulnerabilties\npermit unauthorized and\nundetected access to\ninformation stored on drives.                                                       30% (16) Other\nIn addition, according to the                                                       Security Holes\nSANS, NetBIOS and Simple\nNetwork Management\nProtocol are two of the top 20\nmost critical Internet security           70% (37) SANS\n                                          Top 10 SecurityJ\n                                                            /\nvulnerabilities because they                   Holes\ndisclose information such as            L\n\n\nserver services, account names, and passwords to unauthorized users.\n\nWe were successful in gaining access by exploiting the NetBIOS vulnerability for 13 of the\n18 NMNH Windows servers and numerous workstations. Of the 13 Windows servers, we\nwere able to obtain numerous system administrative password accounts. Once we had\nobtained these accounts, we were able, without authorization, to gain access to the server\nfiles and directories. Further analyses of the password files show that some of the\nadministrative passwords were not in compliance with Institution complexity policies,\nwhich require the passwords to be at least eight characters and contain a combination of\nalphanumeric characters and special characters.\n\nWe identified vulnerabilities within the NMNH workstations. We performed scans of 13\nclass "C" networks and identified 711 security holes that were distributed among 39\ndifferent services and open ports.7 Analyses of the workstations compared to the SANS\nvulnerabilities identified NetBIOS Network Shares, anonymous logon null session, SSH,\nSNMP, HTTP, FTP vulnerabilities, remote registry access, and remote procedure calls.\'\n\n\n  The SANS (SysAdmin, Audit, Network, Security Institute) was established in 1989 as a cooperative system\nsecurity research and education organization. The SANS Top 20 vulnerability list for Windows and\nUndLinux includes the 10 most commonly exploited vulnerable services in Windows and the 10 most\ncommonly exploited vulnerable services in UNIX and Linux.\n  See Appendix A. Glossary\n\' Class "C" networks consisted of 254 addresses each, for a total of 3,302.\n  See Appendix A. Glossary.\n\x0cIn addition, there was no SI banner warning on most of the computers that had FTP,\ntelnet, and SSH ports and services a~ailable.~\n\nThe following chart shows the comparison of the security holes to the SANS Top 10\nWindows vulnerabilities. Workstation access control testing permitted the gathering of\n                                                      password files. Further analyses\n                              DiscoveredAmong         showed that the passwords were not\n         PC\'s Compared to SANS Top 10 Windows         in compliance with SI policy.\n                         Vulnerabilities\n                                                      Passwords were either blank or the\n                                         19% (135)    same as the user account. Using\n                                       Other Securitv administrative accounts, we were\n                                           Holes      able to establish a network path\n                                                      directly to some workstations. We\n                                                      discovered 19 additional web\n                                                      servers upon further analysis of the\n             Sans Top 10                              workstation   scans that showed\n            Security Holes                            HTTP or port 80 open - a common\nL                                                     port used for web servers - that\nwere not included in the NMhTH server inventory lists. For example, the following web\nservers were discovered that were not on the NMNH inventory:\n\n        MSCWEB.si.edu and MSCWEB2.si.edu are intranet web portals for the Museum\n        Support Center.\n        WRBU.si.edu is used by Walter Reed Biosystematics Unit as an external web\n        server residing within the SI and NMNH internal network and contained five\n        security holes that include NetBIOS, SSH, HTTP, and two other services.\n        VOOM.si.edu is an external web server residing within the SI and NMNH internal\n        network and had two security holes as well as FTP vulnerability. The FTP\n        vulnerabilities permitted our tests to gain access to the server and place files on it\n        externally and internally.\n        LMS.si.edu is an internal webserver used by the laboratory of analyticalbiology\n        and had five security holes, including FTP, SSH, HTTP, and two others.\n        SEMANALYSIS.si.eduis an internal webserver that contained two security holes.\n        MNMHN-MSPDOC7.si.edu contained one security hole.\n\nWe also specifically tested whether NMNH computers (servers and workstations) were\nvulnerable to the following high-risk Microsoft worm vulnerabilities:remote procedure\ncall, local security authority subsystem service, and SQL (Structured Query Language)\nServer ~esolution.\'~   From these tests we identified the following:\n         1 server vulnerable to the remote procedure call worm;\n         364 workstations vulnerable to the RPC (remote procedure call) worm;\n         72 workstations vulnerable to the LSASS (localsecurity authority subsystem\n         service) worm;\n         1workstation vulnerable to the SQL Server Resolution worm.\n\n\n\n  See Appendix A. Glossary.\n\'"ee Appendix A. Glossary.\n\x0cWeb Site Privacy Policy Posting\n\nThrough our port scans we identified the common HTTP port 80 used for Internet web\nservers. We browsed to these computers and identified them as being NMWH websites.\nSome of these NMNH websites are accessiblepublicly through the Internet. Our review\nof these websites found that there was no privacy policy or copyright statement, they\ncontained links to non-SI websites, and these servers were not located within the\nprotected area of the SI network for publicly accessible web servers. Also, discussions\nwith NMNH IT staff revealed that it was unclear whether a link to the SI privacy policy is\nrequired on each web page and if there is an SI design standard that should be used by the\nmuseums. It is common industry practice as well as an Office of Management and\nBudget recommendation that federal websites have a clearly posted privacy policy.\n\nVoom.si.edu, for example, is publicly available through the Internet and does not have the\nSI privacy statement, offers images with no copyright restrictions, and contains links to\nnon-SI websites. We were able to gain administrative access to this website externally\nthrough the Internet using FTP and thereby bypass the SI firewall and compromise the SI\ninternal network. Three other websites that are publicly available (ravenel.si.edu,\ngoode.si.edu, and rathbun.si.edu) also do not contain the SI privacy statement.\n\nServer Operating Systems\n\nWe compared server operating system configurations and settings against Smithsonian\nand industry standards and guidance. We sampled 9 of the 18Windows servers for\ncomparison against SI and industry hardening guidelines (guidelines for securing\noperating systems and applications). From our analyses we determined the following:\n       Securitypatches and hotfixes were not up to date for operating systems, Internet\n       Explorer, Microsoft Structured Query Language, Microsoft Data Access\n       Components and Remote Procedure Control. However, for some servers that had\n       installed the Internet Information Services application, this application was up to\n       date with patches and hotfixes.\n       Directory Access Control is a Windows file and directory auditing feature. These\n       permissions were not optimally set to restrict server file and directory access.\n       Also, we identified one server that was formatted as FAT (file allocation table) and\n       not the recommended NTFS (new technology file system). NTFS offers extensive\n       security permissions and auditing features while FAT does not.\n       Protective registry settings were not enabled. Establishing strict permissions for\n       registry settings prevents unauthorized users from altering or modifying the\n       operating system and applications.\n       Internet Information Serviceswere not properly configured. Although the servers\n       that contained the Internet Information Services web server application were up\n       to date with atches and hotfures, additional application security configurations\n       were not set.\n                     F:\n       There were numerous user accounts with system administrative privileges whose\n       accounts have not been used within 90 days and whose passwords were older than\n\n" The Internet Information Service applications were identified as vulnerable to arbitrary command\nexecution. The command can be used to call arbitrary commands to the web server through a user\'s web\nbrowser. For example, users could use their browsers to execute commands on the web server such as\nerasing the server\'s hard drive, thereby bringing down the web server.\n\x0c               the 90-day SI requirement. Upon discovery of this, ADP began to review and\n               remove unnecessary accounts.\n\n       The following table summarizes our assessment of the NMNH Windows operating\n       system configurations we reviewed.\n\n\n\n\nPercentages\n          Passed and NA I 29% 1 51% 1 31% 1 29% 1 27%                   / 26% 1 24% 1 17% 1 34% 1 24% 1 \n\n                   Failed 71% 1 49% 1 69% 1 71% 73%\n                              1                                 1       ) 74% 1 76% / 83% 1 66% 1 76% \n\nTests Failed by Risk Levels\n                High (b) ( 9  7     8     9     9                       ( 10     /   10   ( 11     7        1   10\n              Medium (cl 1 12 7     1 11 1 12 1 13                      1 13     1 14     1   15   1   10   1 14\n                 Low(dj28                   29    2                       29         29       12       29       2 9 -\n                   Total 49     34    48    50    51                      52         53       58       46       53\nThe nine servers were 1. MNHSYNCSORT, 2. MNHWEBSHIELD, 3. MNHWEBMAIL, 4. ADPWEB,\n 5. NHBVMASTER, 6. NHADMIN, 7. NHMIS, 8. NHBACK, and 9. NHDATA.\na. Non-applicable tests were not applicable to the type of server being reviewed.\nb. High Risk is high enough to cause a business disruption if exploited.\nc. Medium Risk in conjunction with another event could cause a business disruption if exploited.\n1\n       NMhTH information systems are large, highly diverse, and have numerous SI tenants as \n\n       well as non-SI tenants with system resources residing on the network. NMNH system \n\n       administration is spread among different units who have been permitted to establish \n\n       various systems to support their unit or organizational needs. Although not formalized \n\n       or overseen, according to ADP staff, these units are responsible for system administration \n\n       and for complying with SI and OCIO system guidance and requirements. We believe that \n\n       NMNH system security weaknesses result from partial uncoordinated information \n\n       technology administration across NMNH as well as from inconsistent compliance with \n\n       OCIO system administration policies and guidance. Also, according to ADP and \n\n       Informatics staff, there has been a shortage of staff and insufficient training to effectively \n\n       manage the complex and diverse information technology needs. NMNH has recognized \n\n       the need to better coordinate its IT administration and according to the NMNH IT \n\n       Director, plans are being developed to merge some NMNH IT units into one central unit. \n\n\n       According to industry standards, the weaknesses we identified at NMhTH can lead to \n\n       inadequate access controls that diminish the reliability of computerized data and increase \n\n       the risk of destruction or inappropriate disclosure of data. NMNH information systems \n\n       resources are vulnerable to network and server business disruptions and potential \n\n       compromises to data integrity. \n\n\x0cConclusion\n\nBased upon our system configuration and network analyses, we believe that NMNH can\nimprove system security by introducing an assessment process into its information\ntechnology administration. Implementing security assessments and performing periodic\nreviews can identify risks, thereby limiting vulnerabilities and preventing system\ncompromises.\n\nRecommendations\n\nWe made eleven recommendations to the Director, National Museum of Natural History:\n\n    1. \t We recommended that the Director, National Museum of Natural History, ensure\n         that his staff review the identified open ports and available services and close those\n         that are deemed unnecessary.\n\nManagement Comments\n\nConcur. NMNH is currently reviewing all NMNH controlled servers for compliance with\nOCIO policies and will create a report of the services and ports currently open on each\nserver, to whom, and why. In addition, as part of the migration to at firewall system,\nNMNH will identify all open ports and services. During the migration period, NNINH\nwill review the open ports and services and determine if any are no longer required and\ndocument the business requirement for the ports left open. Target completion date:\nDecember 31,2004.\n\nOffice of the Inspector General Response\n\nWe believe that the Director\'s planned actions, if implemented, are responsive to the\nrecommendation.\n\n   2. \t We recommended that the Director, National Museum of Natural History, ensure\n        that his staff update the server inventory documentation to ensure that all NMNH\n        system resources are accurately accounted for and up-to-date.\n\nManagement Comments\n\nConcur. NMNH has begun work to update the server inventory documentation. Target\ncompletion date: December 3 1,2004.\n\nOffice of the Inspector General Response\n\nWe believe that the Director\'s planned actions, if implemented, are responsive to the\nrecommendation.\n\n    3. \t We recommended that the Director, National Museum of Natural History, ensure\n        that his staff address and correct the server and workstation security holes\n        identified.\n\x0cManagement Comments\n\nConcur. Correcting the high risk server and workstation security weaknesses is a priority\nfor NMNH. Since this work is labor intensive, NMNH will first draft a plan by December\n31" that identifies the most cost-effective methodology to mitigate the weaknesses and the\nresources needed to complete the task Target completion date: May 1,2005.\n\nOffice of the Inspector General Response\n\nWe believe that the Director\'s planned actions, if implemented, are responsive to the\nrecommendation.\n\n   4. \t We recommended that the Director, National Museum of Natural History, ensure\n       that his staff reaffirm the necessity to comply with the SI password policy across\n       NMNH and non-SI tenants.\n\nManagement Comments\n\nConcur. NMNH is committed to achieving compliance with the SI password policy\ncontained in SD 931. NMNH will send an e-mail to all NMNH employees and those\nfrom other agencies working in the museum reiterating the SI password policy and\ncommit to reviewing passwords on a quarterly basis consistent with the guidance\ncontained in the SI IT Security Controls Manual. Target completion date: November 30,\n2004.\n\nOffice of the Inspector General Response\n\nWe believe that the Director\'s planned actions, if implemented, are responsive to the\nrecommendation.\n\n    5. \t We recommended that the Director, National Museum of Natural History, ensure\n       that his staff review and remove unnecessary accounts on all servers and\n       workstations.\n\nManagement Comments\n\nConcur. As a first step, NMNH will review the information provided by the Office of the\nInspector General and remove all unnecessary server accounts and revise the passwords to\ncomply with SI password policy for valid server accounts. NMNH will identify\nunnecessary desktop workstation user accounts and remove them, consistent with the\nguidance contained in the Smithsonian IT Security Controls Manual. Target completion\ndate: March 3 1,2005.\n\nOffice of the Inspector General Response\n\nWe believe that the Director\'s planned actions, if implemented, are responsive to the\nrecommendation.\n\n    6. \t We recommended that the Director, National Museum of Natural History, ensure\n       that his staff review the servers and workstations to ensure that all patches and\n\x0c       updates are installed for the operating systems and applications, beginning with\n       those machines shown to be vulnerable to the high risk Microsoft worm\n       vulnerabilities.\n\nManagement Comments\n\nConcur. NMhTH is developing a plan for administering Windows servers to include\nensuring that upgrades and patches are installed in a timely manner. The high risk\nvulnerabilities identified in the Inspector General\'s report will be mitigated by December\n3 1,2004. Other vulnerabilities will be mitigated as resources allow. Target completion\ndate: December 3 1.2004.\n\nOffice of the Inspector General Response\n\nWe believe that the Director\'s planned actions, if implemented, are responsive to the\nrecommendation.\n\n\n   7. \t We recommended that the Director, National Museum of Natural History, ensure\n       that his staff review publicly accessible NMNH websites for their necessity and\n       consider developing a common design standard.\nManagement Comments\n\nConcur. NMNH has established a 3-phased project to update the NMNH web pages.\nThe first phase is to implement a common design for the top pages consistent with SI\nguidance. NMNH is seeking private funding to support the web page redesign. NMNH\nwill also establish a web content steering committee to address web governance and\nprioritize further investments in web technology. Target completion date: This is\nexpected to be an on-going effort.\n\nOffice of the Inspector General Response\n\nWe believe that the Director\'s planned actions, if implemented, are responsive to the\nrecommendation. When the three phases have been implemented and we have been\nnotified, we will consider closing the recommendation.\n\n    8. \t We recommended that the Director, National Museum of Natural History, ensure\n       that his staff relocate publicly accessible web servers off the NMNH and SI\n       intranet to a secure network location.\nManagement Comments\n\nConcur. Currently the servers that support publicly accessible web sites are supported by\neither NMNH IT, OCIO, or the departments. The NMNH goal is to create a more secure\nenvironment for web hosting, while still giving the departments the flexibility and\nfreedom to create their own content and handle their own development work. To allow\nfor maximum flexibility with the necessary security, NMNH IT will work with OCIO on a\nplan to relocate the public web sites to OCIO servers using Interwoven\'s OpenDeploy\n(website content distribution product). The Botany Department will begin a pilot in\nSeptember that should enable departments to continue to develop web sites locally, but to\n\x0cpush their content to a more secure location for public hosting. Target completion date:\nJune 30,2005.\n\nOffice of the Inspector General Response\n\nWe believe that the Director\'s planned actions, if implemented, are responsive to the\nrecommendation.\n\n   9. \t We recommended that the Director, National Museum of Natural History, ensure\n       that his staff review operating system configurations in Windows servers to ensure\n       they are securely configured to OCIO and industry standards.\n\nMana~ementComments\n\nConcur. In conjunction with Recommendation 6, NMNH will review Windows-based\nserver and take steps to securely configure the servers to OCIO and industry standards.\nTarget completion date: March 30,2005.\n\nOffice of the Inspector General Response\n\nWe believe that the Director\'s planned actions, if implemented, are responsive to the\nrecommendation.\n\n    10. We recommended that the Director, National Museum of Natural History, ensure\n        that his staff establish a process to ensure regular oversight of the current NMNH\n        practice permitting NMNH units to establish and administer their own servers, or\n        formalize a reassignment of these responsibilities to a unit that can ensure that\n        these systems are securely configured and administered.\n\nManagement Comments\n\nConcur. NMNH will review departmental servers and determine whether the servers\nshould be included in the OCIO application server consolidation project, be administered\nby the NMNH IT staff, or remain under the control of the individual departments with\nincreased oversight. NMNH will ensure compliance with the IT Security Controls\nManual whichever approach is adopted. Target completion date: March 3 1,2005.\n\nOffice of the Inspector General Response\n\nWe believe that the Director\'s planned actions, if implemented, are responsive to the\nrecommendation.\n\n    11. We recommended that the Director, National Museum of Natural History, ensure\n        that his staff review the IT staffing needs to ensure that staff levels and training\n        needs exist to appropriately administer NMNH system resources.\n\nManagement Comments\n\nConcur. NMNH has already begun this review. As a result of this review, NMNH will\nrestructure the organizations that provide IT services. The ADP and Informatics groups\nare in the process of merging. Other realignments are under consideration. A review of\n\x0cstaffing needs and recommendations on staffing decisions will be provided to the Director\nand NMNH Executive Staff in September. Target completion date: September 30,2004.\n\nOffice of the Inspector General Response\n\nWe believe that the Director\'s planned actions, if implemented, are responsive to the\nrecommendation.\n\nWe made two recommendations to the Chief Information Officer:\n\n    1. \t We recommended fhat the Chief Information Officer clarify the necessity of when\n       and where to place links to the SI privacy policy and copyright restrictions posted\n       on SI publicly accessible unit websites.\n\n\n\nConcur. OCIO has drafted a technical note that establishes the requirement and\nprocedures for including links to the standard Smithsonian Institution copyright notice,\nprivacy notice, and the applicable top Smithsonian web page.\n\nOffice of the Inspector General Response\n\nThe Chief Information Officer released IT-950-TN01, Web Copyright and Privacy Notices\nprior to the issuance of this report. This action was responsive to the recommendation.\nTherefore, this recommendation is closed.\n\n    2. \t We recommended that the Chief Information Officer review the use of the file\n         transfer protocol (FTP) and consider establishing a policy requiring a more secure\n         method of file sharing.\n\nManagement Comments\n\nConcur. The Smithsonian Computer Security Manager will convene a technical working\ngroup to review alternative ways to securely transfer files and implement recommended\nalternative(s). Target completion date: January 30,2005.\n\nOffice of the Insuector General Response\n\nWe believe the Chief Information Officer\'s planned actions, if implemented, are\nresponsive to the recommendation.\n\x0cAppendix A. Glossary\n\nAnonymous Login Null Session. Anonymous Login Null Session is a network access\nconnection using a blank user name and password.\n\nApplication. A complete, self-contained program that performs a specific function\ndirectly for the user. This is in contrast to system software such as the operating system\nwhich exists to support application programs.\n\nComputer Worm. A computer worm is a piece of computer code that is loaded onto a\ncomputer for malicious purposes and often transmits itself from one host to another\nacross a network. Typically, worms and viruses engulf a computer\'s memory until the\nsystem halts.\n\nDirectory. A computer system used to organize files on the basis of specific information.\n\nFTP. FTP (File Transfer Protocol) is used extensively as a protocol to transfer files from\none computer to another.\n\nHotfixes. Hotfixes and security patches are intended for enterprise implementations and\nprovide an extra level of security for mission-critical software systems. Specifically,\nsecurity patches eliminate vulnerabilities by mitigating recognized exploits.\n\nHTTP. HTTP (Hypertext Transfer Protocol) is the underlying protocol used by the\nWorld Wide Web. HTTP defines how messages are formatted and transmitted, and what\nactions web servers and browsers should take in response to various commands.\n\nNetBIOS. NetBIOS is part of the Windows networking technology that facilitates the\nsharing of files and computer resources across a network.\n\nNetBIOS Network Shares. NetBIOS Network Shares are a feature commonly provided on\ncomputers running Microsoft Windows that allows the sharing of files or folders across a\nnetwork with other computers.\n\nOperating System. The software which handles the interface to hardware, schedules tasks,\nallocates storage, and presents a default interface to the user when no application program\nis running.\n\nRemote Registry Access (RAC). Remote Registry Access is the ability to remotely access the\nregistry settings that are used to manage software, device configurations, and user\nsettings.\n\nRemote Procedure Calls (RPC). Remote Procedure Call is the ability for one computer to\naccess another computer and execute arbitrary code on that computer.\n\nSecurity Hole. A security hole is a security weakness that permits a computer intruder to\nget access to files or walk through the file system. A security warning is a weakness that\ncan be exploited in conjunction with a vulnerability.\n\x0cServer. A computer or device which provides some service for other computers connected\nto it via a network. For example, a file server is a computer and storage device dedicated\nto storing files and sharing those files over a network. A print server is a computer or\ndevice that manages one or more printers, while a network server is a computer that\nmanages network traffic. A database server is a computer system that processes database\nqueries.\n\nSimple Network Management Protocol. Simple Network Management Protocol (SNMP) is\nused extensively to remotely manage and configure devices such as printers, network\nrouters, and to monitor network services.\n\nSSH. SSH or Secure Shell is a popular service for securing system logins, command\nexecution, and file transfers across networks.\n\nSystem Administrator. An individual responsible for maintaining a computer system,\nincluding a local-area network. Typical duties include: adding and configuring new\nworkstations, setting up user accounts, installing system-wide software, and performing\nprocedures to prevent the spread of viruses.\n\nProtocol. When data is being transmitted between two or more devices, something needs\nto govern the controls that keep this data intact. A protocol is a formal description of\nmessage formats and the rules two computers must follow to exchange those messages.\nProtocols can describe low-level details of machine-to-machine interfaces or high-level\nexchanges between application programs.\n\nWarning banner. A warning banner is a screen with text that gives notice to individuals\nwho are accessing a computer.\n\nWeb server. A web server is an application running on a computer which sends out web\npages in response to requests from remote network or Internet users.\n\x0cAppendix B. Policies and Industry Standards\n\nWe evaluated NMNH system security from November 14,2003, through August 5,2004.\nWe used Smithsonian Directives as well as industry guidance and standards from the\nNIST, Government Accountability Office (formerly the General Accounting Office),\nNational SecurityAgency, and Microsoft Corporation\n\nSmithsonian Directive 115, Management Controls, revised July 23, 1996,lists standards\nthat apply to all Institution units. The directive requires managers to take systematic and\nproactive steps to develop and implement appropriate, cost-effective management\ncontrols. These controls should provide reasonable assurance that assets are safeguarded\nagainst waste, loss, unauthorized use, and misappropriation.\n\nSmithsonian Directive 931, Use of Computers e+ Networks, August 5,2002, provides\nInstitution policy on computer safeguards to protect Smithsonian equipment and data.\nUsers are required to use safeguards including: having a password with at least eight\nalphanumeric and special characters. Passwords must not be found in a dictionary, easily\nguessed, or left in writing in the user\'s office. In addition, passwords should be changed\nevery ninety days and not reused.\nSmithsonian Institution Office of the Chief Information Officer Technical Note: IT-930-\nTN02, Auditing e+ Logging Procedures, September 8,2003, describes the configuration,\nsettings, size and frequency of log review for all auditable systems. This technical note\ncovers all network devices (e.g., routers, switches),network servers, file servers, database\nservers, application servers, firewalls and intrusion detection systems. The objective is to\nestablish a standard frequency for monitoring audit logs.\n\nSmithsonian Institution Office of the Chief Information Officer Technical Note: IT-930-\nTN04, Disabling and Deleting Dormant Accounts, August 27,2003, establishes procedures\nto be used to monitor and disable network accounts at the Smithsonian Institution which\nhave not been used within the last thirty days, and to delete accounts that have been\ndormant for 180 days.\n\nSmithsonian Institution Office of the Chief Information Officer Technical Note: IT-930-\nTN08, Implementing Vendor Software Patches/Fixes, August 27,2003, establishes that\nsystem administrators or designated technical staff are required to apply security patches\nor fuces in a timely manner. Patches must be installed on production within seven days of\nsuccessful completion of testing.\n\nSmithsonian Institution Office of the Chief Information Officer Technical Note: IT-930-\nTN10, Minimizing Access to Production Software and Data, August 27, 2003, establishes\nprocedures by which production data and software can be safeguarded from\nunauthorized access, modification, and deletion.\n\x0cAppendix B. Policies and Industry Standards (Continued)\n\nSmithsonian Institution Office of the Chief Information Officer Technical Note: IT-930-\nTN12, Password Policy Compliance Testing, August 27,2003, establishes procedures to be\nused to verify compliance with established password usage policies (SD 931, Use of\nComputers e+ Networks) at the Smithsonian Institution. The goal is to establish a system\nof checks and reports that records and monitors the enforcement of password usage.\n\nSmithsonian Institution Office of the Chief Information Officer Technical Note, Windows\n2000 Server Baseline Configuration /Build Notes Application Server Edition Version 1.1,\nNovember 4, 2003, provides a setup and configuration guideline and baseline for the\nstandalone Windows 2000 application servers used in Smithsonian Institution web\ninfrastructure. The purpose of this guideline is to serve as a step-by-step guide and check-\nlist for building a well configured and secure Windows 2000 Server with associated\ninfrastructure applications.\n\nGeneral Accounting Office (now the Government Accountability Office), Financial\nInformation Systems Control Audit Manual, January 1999, provides guidance in evaluating\ncomputer-related controls. The guidance describes access controls to provide reasonable\nassurance that computer resources are protected against unauthorized modifications,\ndisclosure, loss, or impairment. Such controls include physical controls such as locking\ncomputer rooms to limit access. Inadequate access controls diminish the reliability of\ncomputerized data and increase the risk of destruction or inappropriate disclosure of\ndata.\n\nNational Security Agency, Research, Study by Trusted Systems Services, Windows N T\nSecurity Guidelines Considerations e+ Guidelinesfor Securely Configuring Windows NT in\nMultiple Environments, 1999, provides guidelines for countering known attacks on\nWindows NT installations that maliciously expose or modify user data. The goal is to\nmake Windows NT as secure as reasonably and practically possible. Implicit in the\nguidelines is the understanding that recommendations must be both effective against\ncertain threats and also practical. A balance is necessary between security and operations\nbecause some controls impede operational capability.\n\nNational Security Agency, Guide to Securing Microsoft Windows 2000 File and Disk\nResources, April 19,2001, recommends that all volumes use new technology file system in\norder to achieve the highest level of security. Under Windows 2000, only new technology\nfile system supports discretionary access control to the directories and files. New\ntechnology file system volumes provide secure and auditable access to the files.\nTherefore, any file allocation table partitions should be converted to new technology file\nsystem.\n\nNational Security Agency, Guide to Securing Microsoft Windows NT Networks, 2001,\nidentifies a variety of available Windows NT 4.0 security mechanisms and describes\nmeasures for their implementation. The guide provides step-by-step instructions on how\nto utilize the operating system\'s built-in security features.\n\x0cAppendix B. Policies and Industry Standards (Continued)\n\nNIST Special Publication 800- 18, Guidefor Developing Security Plans for Information\nTechnology Systems, December 1998, states that the objective of system security planning\nis to improve the protection of information technology resources. All federal systems\nhave some level of sensitivity and require protection as part of good management\npractice. According to NIST, system security plans should document the protection of\nthe system.\n\nAdditionally, the completion of system security plans is a requirement of the Office of\nManagement and Budget Circular A-130, Management of Federal Information Resources,\nAppendix 111, Security of Federal Automated Information Resources, and Public Law 100-\n235, Computer Security Act of 1987. The purpose of the security plan is to provide an\noverview of the security requirements of the system and describe the controls in place for\nmeeting those requirements. The system security plan also delineates the responsibilities\nand expected behavior of all individuals who access the system.\n\nNIST, Guidelines on Securing Public Web Sewers, Special Publication 800-44, September\n2002, provides guidelines on securing both Apache and Internet Information Services web\nserver applications. The guidelines include installing permanent fixes (often called\npatches, hot fixes, service packs, or updates), and removing or disabling unnecessary\nservices and applications. Ideally, a Web server should be on a dedicated, single-purpose\nhost. Many operating systems are configured by default to provide a wider range of\nservices and applications than required by a Web server; therefore, a Web administrator\nshould configure the operating system to remove or disable unneeded services. Some\ncommon examples of services that should usually be disabled would include: Windows\nnetwork basic inputloutput system (NetBIOS),if not required, file transfer protocol;\ntelnet; simple management transfer protocol; and software development tools.\n\nNIST special publication, Generally Accepted Principles and Practicesfor Securing\nInformation Technology Systems, September 1996, provides instructions,\nrecommendations, and considerations for government computer security. According to\nthis publication, security policies and procedures should be in place to protect valuable\nresources, such as information, hardware, and software. The security program should\nallow for periodic assessments and should ensure that personnel understand their\nrespective responsibilities.\n\nMicrosoft White Paper, Securing Windows NT Installation, 1997, states that the default,\nout-of-the-box NT configuration is unsecured, and discusses various security issues with\nrespect to configuring all Windows NT operating system products.\n\x0cAppendix C. Management Comments\n\n\n\n\n                        Smithsonian \n\n                        National Museum of Natural History \n\n\n\n\n\n         [)are      August 25,2004\n            TO \t     Tom D. Blair, Inspector General\n\n             cc \t    Slieiia Burke, Deputy Secretary and Chief Operating Officer \n\n                     David Evans, Iinder Secretary for Science \n\n         I.M, \t      Crisiiin San~per,Directcor,National M~iseum \n\n                     Dennis R. Shuv, Chicf Infom~ationOfficer \n\n\n        Sobjecl \t    Response to the DraFt Report, Office ofthe Inspector General Audit A-04-03,\n                     Information Spstcnl Controls at the National Museum of Natural lfistory\n\n\n                         Thank you for the opportunity to cotnment on the draft audit report on the lnformation\n                     System Controls at the National Museum of Natural I-Iistory. We agree with the audit\n                     lindings and the report recommendations. Planned actions ;md tirnelines for co~npletiy\n                     actions associated wirh each rcco~nmendationare contained in the attachment.\n\n                       Please direct any questions you m y have regarding this response to Rnlce LYaniels,\n                     OCIO Computer Security Mmagcr, at 202-633-6000 or Carol Fiertz, NMNII IT\n                     Manr~gcr,at 202-633-0768\n\x0cAppendix C. Management Comments (Continued)\n\n\n\n\n           Recommendations to the Director, National Museum of Natural History:\n\n           liecommendrtion 1: Kcview the identified open ports and available serviccs and closc\n           those that iire deemed unnecessary.\n\n           Comment: Coilcur. NMNH is currently reviewing all NMNFI controlled servers ibr\n           compliance u-ith OCJO policies and will create arepon of the services and ports currently\n           open on each server, to whom, and why. In addition, as part of the migration to the\n           Checkpoint firewall system, NMNH will identify all open ports and services During the\n           migration period, NMNH will review the open ports and services and detcrmiue if any\n           are no longer required and document the business requirement for the ports Icf\'t open.\n\n           Target Completion Date: December 3 1,2004\n\n            Kecommendation 2: Update the server inventory documentation to ensure all NMNH\n            system resources are r~ccuratelyaccounted for md up-to-date\n\n            Commerrt: Cnncur. NMNH has begun work to update the server inventory\n            documentation.\n            Target Completion Date: December 3I, 2004\n\n            Recommendation 3: Address md correct the server and work station security holes\n            identified.\n\n            Comment: Concur. Correcting the high risk server and workstation security weaknesses\n            is a priority for NMNH. Since this work is tabor intcnsivc. NMNH will frst draft a plan\n            by Dccember 3 1\'\' that identifies the most cost-effective methodology to mitigate the\n            weaknesses and the resources needed to complete the task.\n\n            Target Completion Date: May 1,2005\n\n            Recoznmendation 4: Reaffinn the necessity to comply with the SI password policy\n            across NMNI I and non-S Itenants.\n\n            Comment: Concur. NMNlI is committed to achieving compl~ancev ~ t hthc SI password\n            policy contained in SD 93 1. NMNH will send an email to all NMNH employees and\n            thosc from other agencies working in the museum reiterating the SI password policy and\n            commit to reviewing passwords on a quarterly basis consistent with the guidance\n            contait~cdin the SI IT Sccurity Controls Manual.\n\n            Target Completion Date: November 30,2004\n\n            Recommendation 5: Keview and remove unnecessary accounts on all servers and\n            workstations.\n\n            Comment: <:oncur. As a rust stcp, NMNH will review the information provided by the\n\x0cAppendix C. Management Comments (Continued)\n\n\n\n\n          OIG and remove all unnecessary server accounts and revise the passwords to comply\n          with SI password policy for valid server accounts. NMNH will identify nnnecessary\n          desktop workstation user accounts and remove them, consistent with the guidance\n          containcd in the Sn~ithsonianIT Security Controls Manual.\n          Target Completion Date: March 3 1,2005\n\n          Recommendation 6: Review the servers and workstations to ensure all patches and\n          updates arc installed for the operating systems and applications beginning wit11 those\n          machines shown to be vulnerable to the high risk Microsoft worn1 vulnerabiliti~s\n\n          Comment: Concur. NMNH is dcveloninp       - - a plan\n                                                          - for administering Windows servers to\n          include ensuring that upgrades and patches we installed in a tinlelimanner. \'I\'hc high\n          risk vulnerabilities idcntificd in the IG rmort will be mitigated by December 31,2004.\n          Other vull~crabilitieswill be mitigated as\'resources allow-\n           Target Completion Date: December 31,2004\n\n          Recommendation 7: Kcvicw those publicly accessible NMNH websites for their\n          necessity and consider developing a common design standard.\n\n          Comment: Concur. NMNH has established a 3-phased project to update the NMNH\n          tvcb pages. The first phase is to implement a common design for the top pages consistent\n          with SI guidance. NMNH is seeking private fwding to support the web page rcdesign.\n          NMNII will also establish a web content steering committee to address web governance\n          and prioritize hrthcr invcstn~cntsin web technology.\n           Target Completion Date: This is expected to be an on-going effort.\n\n           Recon~mendation8: Relocate publicly accessible web servcrs off the NMNIT and SI\n           intranct to a secure nehvork location.\n\n           Comment: Conc~u.Currently the servers that support publicly accessible web sites are\n           supported by cither NbfNIT-IT, OC10, or the departments. The NMNH goal is to create\n           a more secure enviro~mlentfor web hosting, while still giving t11c departments the\n           flexibility and freedom to crcate their own content and hndle their own development\n           work. \'To allow for maximum flexibility with the necessary security, NMNI1-IT will\n           work ulth OCIO on aplan to relocate the public web sites to OClO servers using\n           Intenvove~isOpen3)epluy. \'She Botany Department will begin a pilot in Septen~berthat\n           should enable departments to continue to develop web sites locally, but to push t11eir\n           content to a more sccurc location for public hosting.\n\n           Tnrget Con~pIetionDate: June 30,2005\n\n           Hecommendation 9: Keview operating system confiy a t i o n s in Willdows servers\' to\n           ensure they are securely configured to OCIO and industry standards.\n\n           Comment: Concur. In conjunction with Recon~mendation#6, NMNiI will review\n\x0cAppendix C. Management Comments (Continued)\n\n\n\n\n           Windows-based server and takc steps to securely configure the servers to OClO and\n           industry standards.\n           Target Completion Date: March 30,2005\n\n           Recommendation 10: l\'stablish a pmcess to ensure regular oversight of the current\n           NMNI-1 practice pennitting NMNH units to establish and administcr their own servers or\n           formalize a reassignn~entof these responsibilities to a unit that can cnsurc thcse systcms\n           are securely configured and administered.\n\n           Comment: Concur. NMNH will review departmental servers and determine whcthcr\n           the sewers should be included in the OCIO application server consolidation project, be\n           administered by the NMNH IT staff, or remain under the control of the individual\n           dcparttnents with increased oversight. NMNH will ensure compliance with the IT\n           Security Controls Manual whichever approach is adopted.\n           Targot Completion Date: March 31,2005\n\n           Recommendation 11: Review the IT staffing needs to ensure stafTlevels and training\n           necds exist to appropriately administer NMNFI system resources.\n\n           Comment: Concur. NMNII has nlready begun this revicw. As a result of this revicw,\n           NMNH will restructure the organizations that pmvidc n\'senriccs. 721e AIIP and\n           Informatics groups are in the process of merging. Other realignments are under\n           consideration. A review of\' stailing needs and recommendations on staffing decisions\n           will be provided to the Director and NMNH Executive Staff in September.\n\n           Target Completion Date: September 30,2004\n\x0cAppendix C. Management Comments (Continued)\n\n\n\n\n            Recommendations to the Chief Information Officer:\n\n            Recommendation 1: Clarify the necessity of when and where to place links to the SI\n            privacy policy and copyright restrictions posted on Sl publicly accessible unit wcbsites.\n            Comment: Cullcur. OCIO has drafted a technical notc that cstablishcs the requirement\n            and proced~uesfor including l u h to the standard Smithsonian Institution copyright\n            notice, privacy notice, and the applicabletop Smithsonian web pagc. \'I\'hc Office of\n            Gcneral Council and the Office of Public Affairs are reviewing the proposed guidance.\n\n            Completio~iDate: September 30,2004\n\n            Recommendation 2: Review the use of the file transfer protocol (FTP) and consider\n            establishing a policy requiring a more secure method of file sharing.\n\n            Comment: Concur. The Smithsonian Computer Security Manager will convene :I\n            technical working group to review altcmativc ways to securely transfcr files and\n            implement recommended alternative(s).\n\n            Completion Ijnte: .lanunry 30,2005\n\x0c'